Documentation
¶
Overview ¶
Amazon Web Services attestation ¶
Attestation for AWS using NitroTPM.
AWS currently does not support confidential VMs, but offers a TPM 2.0 compliant vTPM integration. We use this to enable a TPM based measured boot Constellation deployment.
Issuer ¶
The TPM attestation is signed by the NitroTPM's RSA attestation key. Additionally to the TPM attestation, we attach a node's instance identity document to the attestation document.
Validator ¶
Currently, the NitroTPM provides no endorsement certificate for its attestation key, nor does AWS offer a secondary of of verifying it. For now we have to blindly trust the key.
Additionally to verifying the TPM attestation, we also check the instance identity document for consistency.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Issuer ¶
type Issuer struct {
variant.AWSNitroTPM
*vtpm.Issuer
}
Issuer for AWS TPM attestation.
func NewIssuer ¶ added in v2.2.0
func NewIssuer(log vtpm.AttestationLogger) *Issuer
NewIssuer creates a new OpenVTPM based issuer for AWS.
type Validator ¶
type Validator struct {
variant.AWSNitroTPM
*vtpm.Validator
// contains filtered or unexported fields
}
Validator for AWS TPM attestation.
func NewValidator ¶ added in v2.2.0
func NewValidator(pcrs measurements.M, log vtpm.AttestationLogger) *Validator
NewValidator create a new Validator structure and returns it.
Source Files